Can GRC Automation Tools Help Firms Gain Control Over Risk and Compliance?

As spreadsheets pile up and manual processes grow increasingly inefficient for managing governance, risk and compliance, automation tools are stepping out of the shadows to help.

Spreadsheet-dependant and siloed accurately describes many IT organizations' approach to governance, risk and compliance (GRC) tasks. But according to experts, there is a better way.

Not only has a technology category grown up to help automate GRC, but many of the solutions currently on the market are more advanced than most organizations' current practices, says Paul Proctor, a VP and distinguished analyst for Gartner. "The maturity of most existing technology solutions exceeds the maturity level of most organizations," he contends.

While this means a well-developed GRC initiative can help take a firm's governance to the next level, Proctor emphasizes that organizations will reach their goals only by viewing GRC automation tools as a means rather than an end. "GRC is neither a project nor a technology," he stresses. "It's a control framework for safeguarding your organization at a level that strikes a balance between business needs and protection needs."

While many GRC automation vendors will offer to assist with developing the framework, Proctor advises otherwise. "I strongly recommend getting your ducks in a row, separately," he says.

In other words, considerable up-front effort may be required well before the search for a technology tool begins. "Don't expect that simply buying a GRC tool will solve your problems," Proctor says. "It won't."

One organization that heeded such advice is Oslo-based DnB NOR. As Norway's largest financial services group, with total assets of US$313.5 billion, DnB NOR faced common large-enterprise GRC challenges.

"By early 2009 our IT landscape had become very complex to manage and govern," relates Sofie Nystrom, chief information security officer for DnB NOR. "The traditional, manual way of handling information with spreadsheets, word processing documents and e-mail was no longer accurate or agile enough."

A Process Looking for a Solution

To begin, DnB NOR gathered a cross-functional team of IT and business users. The team held conceptual discussions and, by late summer 2009, settled on automating a well-established manual IT GRC process called SaRA, for Security and Risk Assessment, as a starting point.

"Rather than creating a process on top of a technology tool, we decided to integrate a tool into an existing process," Nystrom says. "In the end, this was a big advantage to achieving rapid success."

Already in place for about seven years when the GRC automation initiative began, SaRA was a 40-page evaluation completed for every new IT development project, Nystrom explains. "Not only was SaRA a fine-tuned vehicle, but the tasks within it were very familiar to business users and IT users," she says.

Still, streamlining SaRA wasn't a slam dunk. "GRC automation is an internal application not directly facing our customers," says Nystrom, indicating that securing funding could have been a challenge. "Fortunately, decision makers could understand the inefficiencies of filling out 40 pages for each of the approximately 1,000 new product projects our organization averages a year."

With executive leadership onboard and an initial project established, DnB NOR considered eight potential vendors and, in fall 2009, sent RFPs to four. Of those, RiskVision from San Jose, Calif.-based Agiliance stood out as the most IT-centric, according to Nystrom. "RiskVision provided a comprehensive picture of IT risk," she says, declining to name the alternatives. "And it had more technical capabilities within the tool that we could grow into over time, making it the best fit for our immediate and future needs."

After installing RiskVision on a Windows-enabled server in March 2010, DnB NOR began building a centralized repository of all IT assets, both hardware and software, and integrating it with the solution. Then manual SaRA processes were migrated into the environment, Nystrom reports.

Although RiskVision-related activities proceeded smoothly, an organizational transition to 64-bit operating systems required Agiliance to provide considerable support. "We had requested such assistance as a component of the RFP," says Nystrom. "In retrospect, this was critical because any significant landscape change can create challenges."

The only other struggle was RiskVision's lack of multilanguage support, Nystrom notes. "Norwegian has three more vowels than English," she explains. "In addition, our organization is acquiring an institution with Baltic and Polish locations, so we will need to support those languages as well."

However, Nystrom says, the language challenge is hardly unique to Agiliance, which is working on a fix. "In our experience, most of the existing GRC tools are U.S.-centric," she asserts.

Meanwhile, DnB NOR developed a language workaround and rolled out the new SaRA system in September 2010. Between the go-live and year end, approximately 50 projects completed the online SaRA evaluation, and as of Jan. 1, 2011, all IT projects began using the new system, which is context-based, Nystrom says. "It walks users through relevant questions based on the information and answers they provide," she explains.

In addition, questions can easily be delegated to appropriate team members, allowing multiple individuals to work on an assessment simultaneously, Nystrom adds. This has eliminated passing around the entire 40-page document by e-mail. "Now it's easy for anyone to investigate the progress of a given assessment and determine what remains outstanding," she says.

To date, feedback has been overwhelmingly positive, according to Nystrom. "Security assessments aren't anyone's favorite topic," she acknowledges. "Speeding up the GRC process and removing the onerous aspects has definitely been a win."

And from an executive perspective, the transparency gains are equally significant. Using a dashboard that aggregates information for each functional area, in real time, managers can drill down into the details with a few mouse clicks. "Before, it required going into different complex spreadsheets, which had grown to four our five thousand over time," Nystrom points out. "Having a centralized risk registry, along with its reporting capabilities, is an immense benefit."

Going forward, more processes will be added to the environment, including infrastructure and vulnerability scans and reassessments of existing production applications, Nystrom adds. "Instead of attempting to do everything at once, we started small and will build on our successes," she says.